YahaSux
Email-Worm.Win32.YahaSux or YahaSux, also known as Sahay is a mass mailer worm with viral capabilities that attempts to delete certain variants of the Yaha worm. It was coded by Belgian virus/worm coder Gigabyte and was never released into the wild. It stands as an example of some possibly beneficial use for self-replicating code. Details YahaSux arrives in an email with a subject line of "Fw: Sit back and be surprised.. ". The body reads: Think of a number between 1 and 52. Say it out loud, and keep repeating while you read on. Think of the name of someone you know (of the opposite sex). Now count which place in the alphabet, the second letter of that name has. Add that number to the number you were thinking of. Say the number out loud 3 times. Now count which place in the alphabet the first letter of your first name has, and substract that number from the one you just had. Say it out loud 3 times. Now sit back, watch the attached slide show, and be surprised.. The attachment is a screensaver named MathMagic.scr. When executed, it searches for the Yaha executable nav32_loader.exe in the system folder as well as its own MathMagic.scr. If these files are not found, it copies itself as winstart.exe to the system folder. It attempts to kill the process WinServices.exe or WINSER~1.EXE, both of which belong to the Yaha.K worm. It removes Yaha.K's executable from the registry key that causes it to start before any .exe file is run and restores that key to its origninal values. It also deletes Yaha.K's executable from the WinServices subkey of the registry key that causes it to run whenever Windows starts. It adds itself to this key by placing the value "Default = (system directory)\winstart.exe" in it. Yahasux will create the file yahasux.exe in the system folder and the Mirc Download folder. This is actually a copy of the file mprexe.exe, which allows a computer to use multiple network protocols and adapters. It may copy this file and continue appending it multiple times until the disk is full. It deletes the following files from the system directory: *Be_Happy.scr *Best_Friend.scr *colour_of_life.scr *dance.scr *Friend_Finder.exe *Friend_Happy.scr *friendship.scr *friendship_funny.scr *funny.scr *GC_Messenger.exe *hotmail_hack.exe *I_Like_You.scr *life.scr *love.scr *nav32_loader.exe *shake.scr *Sweet.scr *True_Love.scr *WinServices.exe *world_of_friendship.scr It sets the Internet Explorer homepage to http://127.0.0.1/. Yahasux prepends itself to all .exe files in the mirc and mirc\download folder under Program Files. If it finds no MathMagic.scr file at the root of the C: drive, it will drop one there. It also drops its mass mailing component, yahasux.vbs, and executes it. It will mail Yahasux to all email addresses in the Outlook Address Book. It shuts the computer down after 40 seconds. When the worm restarts with the computer, it deletes the file tcpsvs32.exe, another file associate with Yaha.K. It then displays a message explaining the infection. Background YahaSux was coded by Gigabyte in retaliation for Yaha.K, a variant of Yaha that turns the Internet Explorer home page to Coderz.net, the site where Gigabyte's own pages are located. This could have potentially overloaded the server of Coderz.net. Name YahaSux is named by its creator because she hated a particular variant of Yaha and its creator. Most antivirus companies call it Sahay, "Yaha" backwards with the first letter in Sux. This is probably because "Sux" implies oral sex and antivirus naming standards prohibit obscene names. Antivirus Aliases *BitDefender: Win32.Sahay.B@mm *Doctor Web: Win32.HLLM.Sahay.2 *Kaspersky: Email-Worm.Win32.Sahay.b *McAfee: W32/Sahay.worm *Symantec: W32.Sahay.A@mm *Trend Micro: PE_SAHAY.A Other Facts Yaha.Q contains a message in its code to Gigabyte about Yahasux: "to gigabyte: chEErS pAL, kEEp uP tHe g00d w0rK..buT W32.HLLP.YahaSux is.. lolz ;)". This message is not visible in the email or in any displayed message when the worm infects a computer, but it can be viewed when the worm is opened with a text or hex editor. YahaSux is not the first virus or worm to attack another. In 1989, a Macintosh virus named Anti.A was created to delete Anti.B, although Anti.B did not appear until a year later. In early 1999, a macro by the name of Ethan attempted to delete the macro Class. In late summer of 2001 All3gro attacked Sircam, Badtrans and PrettyPark. Sources Scott Mollencamp. CA, Win32.Sahay.A. 2003.01.15-19 Mary Landesman. Antivirus, About.com, "Sahay Worm: Giga takes byte out of Yaha worm.". Perantivirus.com, "Sahay". McAfee Antivirus, W32/Sahay.worm. Dialogue Science, "Win32.HLLM.Sahay". The Age, Female virus writer creates new worm. 2003.01.14 Category:Worm Category:Mass mailer worm Category:Viral worm Category:Nematode Category:Social engineer Category:Win32 worm Category:Win32 Category:Microsoft Windows